Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 14:43
Behavioral task
behavioral1
Sample
8c97c2d1349936dcba035061d4085478.exe
Resource
win7-20231215-en
General
-
Target
8c97c2d1349936dcba035061d4085478.exe
-
Size
2.9MB
-
MD5
8c97c2d1349936dcba035061d4085478
-
SHA1
bd8f34b023c3f32c0641039a784c3870d49bf370
-
SHA256
b02fe033d0cbfe6b377932ed3b5169213ad2a967cf2d6161e24f74584980554d
-
SHA512
4e5c82d4b82c008e68ee80ffe4db12599b191e88bf97cabeaba0fd91ac0ba6882237ecb2ed4b4c829ce9eb29f58e294cb52fe3745dffa1ea1d1a7798f52f0659
-
SSDEEP
49152:QTx/ilu/xcfr+vfLjSiP4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:QThilu/xPHSigg3gnl/IVUs1jePs
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2436 8c97c2d1349936dcba035061d4085478.exe -
Executes dropped EXE 1 IoCs
pid Process 2436 8c97c2d1349936dcba035061d4085478.exe -
resource yara_rule behavioral2/memory/560-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x0007000000023149-11.dat upx behavioral2/memory/2436-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 560 8c97c2d1349936dcba035061d4085478.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 560 8c97c2d1349936dcba035061d4085478.exe 2436 8c97c2d1349936dcba035061d4085478.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 560 wrote to memory of 2436 560 8c97c2d1349936dcba035061d4085478.exe 83 PID 560 wrote to memory of 2436 560 8c97c2d1349936dcba035061d4085478.exe 83 PID 560 wrote to memory of 2436 560 8c97c2d1349936dcba035061d4085478.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe"C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exeC:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2436
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5734b92e2a7942f48a1722e54ef257a71
SHA1e5d91a36ba33e8e878bc8a30f38f785f7571681b
SHA25624bb240ac37ebbf44684df6ecdd126a8336396382949366db812dcd98cf58849
SHA512b2df55e405a52cd86671300b408353cc9d8c8ca8824cd3dd46efc0b7f1e7a6cd6629bf36b8ccf46981e1ef391cac5bf64bd339275776b4d8a3594cf7076cd474